ROLLOVER Subcommand

The ROLLOVER subcommand retires a private key of an older certificate that is being superseded by a new one.
acf2src
The ROLLOVER subcommand retires a private key of an older certificate that is being superseded by a new one. The private key is a file that is used to encrypt and decrypt data. The ROLLOVER subcommand performs the following actions:
  • Deletes the private key of the old certificate so that it can no longer be used to sign or encrypt documents or certificates.
  • Replaces the old certificate with the new certificate (as specified by the NEWLABEL keyword) in every key ring to which the old certificate is connected.
  • Copies the serial number base from the old certificate to the new certificate.
When the rollover is complete, the new certificate is used as if it were the old certificate. The old certificate is still available to verify signatures and decrypt data, but it can no longer be used to sign or encrypt.
ROLLOVER{logonid|logonid.suffix|CERTAUTH|CERTAUTH.suffix| SITECERT| SITECERT.suffix} [Label(old_certificate_label)] [NEWLabel(new_certificate_label)|NEWSufx(new_certificate_suffix)] [Force]
Examples: Delete and replace a private key
As a security administrator, you are responsible for ensuring that private keys from an older certificate are no longer used. Replace a certificate by using a logonid and labels for the old and new certificates:
ROLLOVER
CERTAUTH
LABEL(
Local CA
) NEWLABEL(
Local CA 2021
)
In this example, label "Local CA" is replaced with the newlabel "Local CA 2021". Doing so deletes the private key of the old certificate so that it can no longer be used.
  • logonid
    |
    logonid.suffix
    |CERTAUTH|SITECERT
    Specifies the logonid that is associated with the certificate. The value can be in the form of a one- to eight-character logonid. Or a logonid followed by a period and a one- to eight-character suffix. If label is specified, logonid must be specified and indicates the logonid with which the label is associated.
  • Label(
    label
    )
    Specifies a one- to 32-character label of the old (source) certificate that has its private key deleted. The label can contain blanks and mixed-case characters. For every apostrophe that you want in the Label value, specify two consecutive apostrophes. For example, the value Frank's Certificate should be specified as Frank”s Certificate. A value that contains a single apostrophe is invalid.
  • NEWLabel(
    label
    )
    Specifies a one- to 32-character label of the new (target) certificate that replaces the old certificate in all the key rings that had the old certificate connected. The NEWLABEL value can contain blanks and mixed-case characters. However, the value must be unique to the logonid with which the new certificate is associated. If a NEWLABEL is not specified, specify NEWSUFX. For every apostrophe that you want in the NEWLABEL value, specify two consecutive apostrophes. For example, the value Frank's Certificate should be specified as Frank”s Certificate. A value that contains a single apostrophe is invalid.
  • NEWSufx(record suffix)
    Specifies a one-character to eight-character suffix of the new (target) certificate. The new suffix can be used in place of the NEWLABEL field.
  • FORCE
    Performs the rollover unconditionally, bypassing the following checks:
    1. The values of LABEL and NEWLABEL must be different. If NEWSUFX is specified instead of NEWLABEL, the label of the new certificate must be different from the LABEL value.
    2. The certificates that are identified by LABEL and NEWLABEL (or NEWSUFX) must be associated to private keys.
    3. The certificate that is identified by NEWLABEL (or NEWSUFX) must have never been the target of a previously issued ROLLOVER subcommand and never used to sign other certificates.
    4. The certificate that is identified by NEWLABEL (or NEWSUFX) must not have the GENREQ indicator that is assigned on the CERTDATA record.
    If LABEL and NEWLABEL are the same, and the FORCE keyword is used, the product deletes the private key of the certificate.